AI Security Review
scanned 12h ago · by lpm-firewall-aiInstall-time script mutates broad Claude/AI-agent control surfaces in the user's home directory. It installs package-supplied skills and registers an auto-latest MCP server without an explicit user-invoked setup step.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/postinstall.js
- scripts/postinstall.js copies package skills into ~/.claude/skills/sidecar and ~/.claude/skills/second-opinion
- scripts/postinstall.js registers an MCP server in Claude Code via claude mcp add-json --scope user
- scripts/postinstall.js edits ~/.claude.json and Claude Desktop claude_desktop_config.json fallback paths
- MCP config uses command npx args ['-y','amicus@latest','mcp'], creating a standing auto-latest agent tool registration
- scripts/setup-hooks.js can set git core.hooksPath from postinstall when install occurs in a git checkout
- Postinstall is best-effort and has AMICUS_SKIP_POSTINSTALL=1 guard
- No credential exfiltration or destructive payload found in inspected install path
- Installed skill/MCP content is product-aligned multi-model sidecar functionality
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/amicus.jsView on unpkg · L13Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L5Source file is highly similar to a previously finalized malicious package; route for source-aware review.
src/sidecar/electron-install.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
src/sidecar/unzip.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
src/sidecar/setup-window.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
src/opencode-client.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/mcp-server.jsView on unpkg